You will hear people say: Yeah but end user’s don’t care about these indicators, look at the research papers …(and they will produce research papers that they paid for!)….

Is there research suggesting that average users are helped by the EV-indicator to distinguish between the intended site and a fraudulent site?

Quote from: Melih

My answer to them is: Then why have it? Remove it, your own paid research paper says no one cares, so remove it! You can’t have it both ways. You can’t say user’s don’t care but we will continue showing it to users knowing that it will cause harm to them.

That is the plan for Chrome:

Quote from: Ryan Sleevi (Google)

Thus, our focus is on introducing negative indicators that accurately reflect when there is no connection security, while also working to reduce the confusion introduced by the myriad of positive indicators by aligning to a single, neutral state.

Is there research suggesting that average users are helped by the EV-indicator to distinguish between the intended site and a fraudulent site?That is the plan for Chrome:https://cabforum.org/pipermail/public/2017-July/011671.htmlA “single, neutral state” for secure connections, and negative indicators for insecure connections.

You are missing the point Jowa.

1)browsers should stop displaying a misleading indicator2)browsers should train users to look for proper indicators

Just because they have failed by confusing users with non uniform indicators, just because they failed by not educating users about what to look for, you cannot diminish the value of visual indicators.

Visual indicators are of value, if trained properly.

You are conflating the current state of affairs...which is a mess created by showing users indicators that shouldn't be there causing consumer harm.....not training users on the proper ones they should be looking at.....you are implying that Visual indicators are meaningless. You are simply wrong.

Visual indicators are very powerful...remember Traffic lights.... remember hologram on credit cards....we just have to use them properly.....that is the issue!

Educate and train users, why does that make me think of Σίσυφος? Maybe because trying to teach people something they do not want to be taught (like boring technical stuff) is like trying to defeat gravity. It fails every time.

If a solution is not effective for billions of users, ranging from about 5 to about 105 years, maybe changing the solution is a better way than trying to change all users. And as Cormac Herley (Microsoft) argues, “users’ rejection of the security advice they receive is entirely rational”.

Traffic lights work, and they would still work if the green light were removed. The driver only needs to know it has to stop (red light, negative indicator). If there is no light, keep going.

No, because to go from one place to another is in the driver’s interest. The driver, however, is not interested in stopping until it has arrived at that other place. That is why red traffic lights are needed, to avoid accidents. Green is redundant.

Similarly, web users are interested in going to various sites. They will go to those sites with or without a green traffic light (a positive indicator). They may even go to a site with a red traffic light (negative indicator), if they learn that it doesn’t mean anything (false alarm, as the users see it).

No, because to go from one place to another is in the driver’s interest. The driver, however, is not interested in stopping until it has arrived at that other place. That is why red traffic lights are needed, to avoid accidents. Green is redundant.

Similarly, web users are interested in going to various sites. They will go to those sites with or without a green traffic light (a positive indicator). They may even go to a site with a red traffic light (negative indicator), if they learn that it doesn’t mean anything (false alarm, as the users see it).

The driver can go from one place to another without stopping as long as he sees green light! If no green light, stop...if Green light go....

The driver can go from one place to another without stopping as long as he sees green light! If no green light, stop...if Green light go....

The driver can sometimes drive several kilometres without seeing a single traffic light of any colour. Or wait, since there is no green light, according your reasoning, no driving? I think the nearest traffic light is 1½ km from where I live. Should I expect lots of new traffic lights, so at least one is always in sight?

And so has Chrome (56), “as part of a long-term plan to mark all HTTP sites as non-secure”.

That's such a demagogue's trick; it's a scare tactic make people believe the web (it's still mostly http) is a dangerous place. It's an abomination.

All users need to know is that look for https (either with EV or OV cert) when logging in on a website and that they can look at what the browser tells. The browser should send a positive sign of security when an OV or EV is being used.

About sixty percent of the connections made with Firefox (40 % in January 2014) and Chrome are now secure. For sites where people log in, that number is probably much higher.

LE's contribution is much less than 2% of the traffic according to Mozilla telemetry (https://crt.sh/mozilla-certvalidations)...Yet it represents huge amount of the Phishing attacks...huge majority is provided by Symantec and Comodo...